GHSA-5hfv-mg5x-mv32

Suggest an improvement
Source
https://github.com/advisories/GHSA-5hfv-mg5x-mv32
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-5hfv-mg5x-mv32/GHSA-5hfv-mg5x-mv32.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-5hfv-mg5x-mv32
Aliases
  • CVE-2022-25178
Published
2022-02-16T00:01:33Z
Modified
2023-11-01T04:58:14.436258Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
Improper Limitation of a Pathname to a Restricted Directory in Jenkins Pipeline: Shared Groovy Libraries Plugin
Details

Jenkins Pipeline: Shared Groovy Libraries Plugin does not restrict the names of resources passed to the libraryResource step, allowing attackers able to configure Pipelines permission to read arbitrary files on the Jenkins controller file system.

Database specific
{
    "nvd_published_at": "2022-02-15T17:15:00Z",
    "cwe_ids": [
        "CWE-22"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2022-06-20T22:46:58Z"
}
References

Affected packages

Maven / org.jenkins-ci.plugins.workflow:workflow-cps-global-lib

Package

Name
org.jenkins-ci.plugins.workflow:workflow-cps-global-lib
View open source insights on deps.dev
Purl
pkg:maven/org.jenkins-ci.plugins.workflow/workflow-cps-global-lib

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.22
Fixed
561.va_ce0de3c2d69

Affected versions

544.*

544.vff04fa68714d

545.*

545.v7b28cce323cf

548.*

548.v9085a486966a

552.*

552.vd9cc05b8a2e1
552.554.vdba55efb9e88

Database specific

{
    "last_known_affected_version_range": "<= 552.vd9cc05b8a2e1"
}

Maven / org.jenkins-ci.plugins.workflow:workflow-cps-global-lib

Package

Name
org.jenkins-ci.plugins.workflow:workflow-cps-global-lib
View open source insights on deps.dev
Purl
pkg:maven/org.jenkins-ci.plugins.workflow/workflow-cps-global-lib

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.19
Fixed
2.21.1

Affected versions

2.*

2.19
2.20
2.21

Maven / org.jenkins-ci.plugins.workflow:workflow-cps-global-lib

Package

Name
org.jenkins-ci.plugins.workflow:workflow-cps-global-lib
View open source insights on deps.dev
Purl
pkg:maven/org.jenkins-ci.plugins.workflow/workflow-cps-global-lib

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.18.1

Affected versions

0.*

0.1-beta-5
0.1-beta-6
0.1-beta-7
0.1-beta-8

1.*

1.0-beta-1
1.0
1.1
1.2
1.3
1.4
1.4.1
1.4.2
1.4.3-beta-1
1.4.3
1.5
1.6-alpha-1
1.6
1.7-alpha-1
1.7
1.8
1.9-beta-1
1.9
1.10-beta-1
1.10
1.10.1
1.11-beta-1
1.11-beta-2
1.11-beta-3
1.11-beta-4
1.11
1.12-beta-1
1.12-beta-2
1.12-beta-3
1.12
1.13
1.14-beta-1
1.14
1.14.1-beta-1
1.14.1
1.14.2
1.15-beta-1
1.15

2.*

2.0
2.1
2.2
2.3
2.4
2.5
2.6
2.7
2.8
2.9
2.10
2.11
2.12
2.12.1
2.13
2.13.1
2.14
2.15
2.16
2.17
2.18